Creates and executes the following file:
%CurrentFolder%\hms.exe
Note: %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.
Creates the following files:
* %System%\Zykheptd.dll
* %System%\Zykheptd.sys
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Injects %System%\Zykheptd.dll into the following Windows process:
SVCHOST.EXE
Creates a hidden device service, which is a kernel-mode rootkit that enables the Trojan to hide the any files and registry entries it creates.
Creates registry entries under the following registry subkeys when creating the above service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Zykheptd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_ZYKHEPTD
Adds the value:
"ServiceDLL" =" %System%\Zykheptd.dll"
to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\dmserver\Parameters
Adds the value:
"(default)" = "rundll32.exe [PATH TO TROJAN DLL FILE], Do98Work"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Mcft\Windows\CurrentVe rsion\Run
so that it runs every time Windows starts, on computers running Windows 9X.
Attempts to open a back door on the compromised computer by connecting to the following domain, on TCP ports 80 and 8080:
data.lovequintet.com
Allows a remote attacker to use this back door to perform the following actions on the compromised computer:
* List active ports
* List processes, services, and threads
* Download and execute remote files
* Upload files
* Run a system shell
* Modify registry entries
* End processes
* Get system and network information
Arrives on the compromised computer as a malicious Mcft Access file that exploits the Mcft Jet Database Engine Malformed Database File Buffer Overflow vulnerability (As described in Security Focus BID 12960).
I AM NOT RESPONSIBLE FOR ANYTHING USE IT YOUR OWN RISK
%CurrentFolder%\hms.exe
Note: %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.
Creates the following files:
* %System%\Zykheptd.dll
* %System%\Zykheptd.sys
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Injects %System%\Zykheptd.dll into the following Windows process:
SVCHOST.EXE
Creates a hidden device service, which is a kernel-mode rootkit that enables the Trojan to hide the any files and registry entries it creates.
Creates registry entries under the following registry subkeys when creating the above service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Zykheptd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\R oot\LEGACY_ZYKHEPTD
Adds the value:
"ServiceDLL" =" %System%\Zykheptd.dll"
to the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\dmserver\Parameters
Adds the value:
"(default)" = "rundll32.exe [PATH TO TROJAN DLL FILE], Do98Work"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Mcft\Windows\CurrentVe rsion\Run
so that it runs every time Windows starts, on computers running Windows 9X.
Attempts to open a back door on the compromised computer by connecting to the following domain, on TCP ports 80 and 8080:
data.lovequintet.com
Allows a remote attacker to use this back door to perform the following actions on the compromised computer:
* List active ports
* List processes, services, and threads
* Download and execute remote files
* Upload files
* Run a system shell
* Modify registry entries
* End processes
* Get system and network information
Arrives on the compromised computer as a malicious Mcft Access file that exploits the Mcft Jet Database Engine Malformed Database File Buffer Overflow vulnerability (As described in Security Focus BID 12960).
I AM NOT RESPONSIBLE FOR ANYTHING USE IT YOUR OWN RISK
Post a Comment